TROYANOSYVIRUS
← Back to CVEs

CVE-2024-12271

MEDIUM
4.4

Description

The 360 Javascript Viewer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the β€˜ref’ parameter in all versions up to, and including, 1.7.29 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVE Details

CVSS v3.1 Score4.4
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack VectorNETWORK
ComplexityHIGH
Privileges RequiredHIGH
User InteractionNONE
Published12/12/2024
Last Modified12/12/2024
Sourcenvd
Honeypot Sightings0

Weaknesses (CWE)

CWE-79

References

https://plugins.trac.wordpress.org/browser/360deg-javascript-viewer/trunk/includes/class-jsv-360-parser.php#L129(security@wordfence.com)
https://plugins.trac.wordpress.org/browser/360deg-javascript-viewer/trunk/includes/class-jsv-360-parser.php#L162(security@wordfence.com)
https://plugins.trac.wordpress.org/changeset/3206400/(security@wordfence.com)
https://www.wordfence.com/threat-intel/vulnerabilities/id/12b4e363-248f-469a-a958-0b1ec5c6e37f?source=cve(security@wordfence.com)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.